Method for secure user and transaction authentication and risk management

ABSTRACT

To provide a user signature on a network transaction, a security server receives transaction information representing a transaction between a network user and a network site, such as a website, directly from the network site. The security server calculates a one-time-password based on the received transaction information and a secret shared by the security server and the network site, but not by the user. The security server transmits the calculated one-time-password for application as the user&#39;s signature on the transaction. The one-time-password is independently calculable by the network site based on the shared secret.

RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.15/015,592, filed Feb. 4, 2016, which is a continuation of U.S. patentapplication Ser. No. 14/330,025, filed Jul. 14, 2014, now U.S. Pat. No.9,325,702, which is a continuation of U.S. patent application Ser. No.13/011,739, filed Jan. 21, 2011, now U.S. Pat. No. 8,806,592, which is acontinuation-in-part of U.S. patent application Ser. No. 13/011,587,filed Jan. 21, 2011, now U.S. Pat. No. 8,789,153, which claims prioritybased on Provisional U.S. Application Ser. No. 61/298,551, filed Jan.27, 2010. The contents of the above-identified applications are herebyincorporated herein in their entirety by reference.

TECHNICAL FIELD

This invention relates to security and privacy. More particularly itrelates to user and transaction authentication and risk management.

BACKGROUND OF THE INVENTION

User authentication using techniques such as passwords, one timepasswords, hardware or software smart cards, etc., have all proven to beeither too weak and susceptible to man in the middle (MITM) or man inthe browser (MITB) attacks, or else have proven too cumbersome andexpensive. The use of single sign on techniques such as OpenID, FaceBookConnect, etc., only make the problem worse as once the attacker hascompromised the master account they can now break into all otheraccounts that rely on that initial login. Further, the focus ofattackers has shifted from trying to break the login process to usingsophisticated techniques to come in after the act of login and to attackthe transactions being performed. This has made transactionauthentication, the act of confirming if the transaction seen at theback end web server is identical to that intended by the user, even moreimportant.

Out of band authentication (OOBA), a technique by which a transaction isrelayed to the user, and confirmation obtained, using an alternate formof communication, for instance by placing a voice phone call or a textmessage, is a promising alternative, but is also to inconvenient andcostly to be used very often. It might be useful for the highest valuetransactions, or rare events like password resets, but using it forlarge number of transactions is too costly and cumbersome.

In prior work (see the related applications identified above), wedescribed an innovation that addresses some of these problems.Specifically, we introduced the notion of the establishment of asecurity server that communicates with an independent pop-up window onthe user's desktop that is being used to access the website. Wedescribed how this security server can alert the user, viacommunications to the pop-up as to the legitimacy of the web site theuser is browsing via their browser. We also described how this pop-upwindow can provide a user with a one time password to enable login intothe web site (i.e. authentication of the user to the website), based ona secret shared between the web site and the security server. Ofparticular utility in this invention was that it provided the securityof one time passwords, but did not require a per user shared secretwhich all prior one time password systems have required.

The innovations described herein extend our prior work to provide for(i) transaction authentication, (ii) different hardware and softwareform factors as substitutes for the browser based pop up, and (iii)using accumulated login and transaction data as an input to a riskmanagement engine.

OBJECTIVES OF THE INVENTION

This invention has the following objectives:

-   -   Develop a new transaction authentication technique that can be        more ubiquitously applied to a larger number of transactions        without compromising usability and cost.    -   Develop new pop up substitutes to communicate information such        as transaction signatures.    -   Develop a technique for better risk management based on user        activity information.

Additional objects, advantages, novel features of the present inventionwill become apparent to those skilled in the art from this disclosure,including the following detailed description, as well as by practice ofthe invention. While the invention is described below with reference topreferred embodiment(s), it should be understood that the invention isnot limited thereto. Those of ordinary skill in the art having access tothe teachings herein will recognize additional implementations,modifications, and embodiments, as well as other fields of use, whichare within the scope of the invention as disclosed and claimed hereinand with respect to which the invention could be of significant utility.

SUMMARY DISCLOSURE OF THE INVENTION

In accordance with certain aspects of the invention, a secure usersignature can be provided on a network transaction, such as the user'spurchase of a product from a vendor or movement of account funds from abank or investment house, via a network, such as the Internet. Thesignature authenticates the user and confirms the transaction to thenetwork site, which is sometimes referred to as a website, with whichthe user is transacting. To facilitate the signing of a transaction, asecurity server receives transaction information representing atransaction between a network user and a network site, directly from thenetwork site. The transaction information could, for example, include aproduct description and price or an account identifier and amount offunds to be moved. The security server calculates a one-time-password(OTP) based on (i) the received transaction information and (ii) asecret shared by the security server and the network site, but not bythe user. The security server then transmits the calculatedone-time-password for application as the user's signature on thetransaction, and hence as an authentication of the user and confirmationof the transaction to the network site. To validate the transmittedone-time-password, the network site independently calculates theone-time-password based on the shared secret and transactioninformation, and compares this to the one-time-password transmitted bythe security server.

From a network site perspective, a user signature on a networktransaction can be validated by the network site receiving, from a usernetwork device, transaction information representing a transactionbetween a user and the network site. The network site transmits thetransaction information directly to the security server. That is thetransaction information is not sent to the security server via the user.The network site receives a one-time-password as the user's signature onthe transaction, from the user network device. The network sitecalculates a one-time-password based on (i) the received transactioninformation and (ii) a secret shared by a security server and thenetwork site, but not by the user. The network site then verifies thesignature based on a comparison of the received one-time-password andthe calculated one-time-password.

According to certain aspects of the invention, the one-time-password maybe received by the network site from a network page associated with thenetwork site and displayed on a network device associated with the user.As noted above, the transaction information could, for example, includetransaction details relating to a product being purchased and its priceor relating to bank accounts from and to which funds are beingtransferred and the amount of the transfer.

In one embodiment the security server transmits the calculatedone-time-password to the same user network device as that displaying thenetwork page, for presentation on a window, such as a web pop-up orcustom application window, that is also displayed by that user networkdevice, and for entry by the user, for example by cutting and pasting ortyping, onto a displayed network page so as to be transmitted to thenetwork site.

According to another embodiment of the invention, the network devicewhich displays the network page is one (e.g. a first) user networkdevice, for example a computer, such as a desktop computer. In thisembodiment, the security server transmits the calculatedone-time-password to another (e.g. a second) user network device, whichdifferent than the first user network device, for presentation on awindow displayed by the second user network device and entry by the useronto the network page displayed by the first user network device. Here,because separate devices are being used, the user may, for example, berequired to type the one-time-password presented on a window of thesecond user network device into the network page displayed on the firstuser network device. Preferably, the first and second user networkdevices are of different types. For example, if the first user networkdevice is a computer, such as a desktop computer, the second typenetwork device might be a personal mobile network device, such as amobile smart phone or smart card.

According to still further aspects of the invention, where multipledifferent user network devices are utilized, the security server mayreceive a request of a network site to have the user authenticated forreasons unrelated to a particular transaction. In such a case, thesecurity server calculates a one-time-password based on a secret sharedby the security server and the network site, but not by the user. Thesecurity server transmits the calculated one-time-password to a windowdisplayed on one network device of the user. The user can now enter thecalculated one-time-password from the window displayed on the onenetwork device onto the network page, e.g. a web page, associate withthe network site and displayed on another user network device, toauthenticate himself or herself to the network site. Of course, asdiscussed above, if a transaction is involved, the security server wouldpreferably also receive transaction information as has been discussedabove. In such a case, the one-time-password is calculated based alsothe transaction information.

From a network site perspective, to authenticate a user on a network,the network site transmits, directly to the security server, a requestto have a user authenticated. In response, the network site receives aone-time-password from a network device of the user. The network sitecalculates a one-time-password based on a secret shared by the securityserver and the network site, but not by the user. By comparing thereceived one-time-password and the calculated one-time-password, thenetwork site can authenticate the user.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 depicts the main components of the system in accordance theparent application.

FIG. 2 shows the system augmented with user authentication, in this caseachieved using out of band authentication, in accordance with the parentapplication.

FIG. 3 depicts a log of network activities that can be maintained andused for augmented risk intelligence analysis, in accordance with theparent application.

FIG. 4 depicts the main components of the system in accordance with thepresent invention.

FIG. 5 shows the system augmented with user authentication, in this caseachieved using out of band authentication, in accordance with thepresent invention.

PREFERRED EMBODIMENT(S) OF THE INVENTION

In prior work we had described how the introduction of a network basedsecurity server that has an independent channel to a user pop-up can beused in conjunction with a user's browser and the web site they arevisiting to provide both web site and user authentication via a singleuser network device.

Our first new innovation is to extend this concept to transactionauthentication. Specifically, when a web site receives a transactionfrom a user browser, which it wished to confirm, it sends thetransaction information to the security server, which forwards thetransaction information to the user pop-up along with a one timetransaction signature which is computed based on a secret shared betweenthe security server and the web server and on the transactioninformation. The user transfers this one time transaction signature tothe web server via the browser, and the web server can recalculate theone time transaction signature, and if there is a match, can be assuredthat the user has confirmed the transaction.

Our second innovation is to extend the concept of a browser based pop upto different form factors. For instance the pop-up can be implemented asa smartphone app, as a dedicated part of a smartphone screen which isused only for this purpose, or it could be implemented as a smartcard.

Our third innovation is to take advantage of the fact that the pop-up(or its substitute) has a log of every user login and transaction.Currently risk engines watch user activity at a given web site todetermine suspicious behavior. Or in some cases networks of web sitesshare such information. In other words data from the back-end systems isanalyzed. In our system the pop-up's log of a user's login andtransaction history provides a user centric front end way to capturethis information and augment the capabilities of the risk engines.

We will first describe our preferred embodiment for transactionauthentication. As shown in FIGS. 1 and 2 the system consists of thefollowing components:

-   -   A security server.    -   A pop-up window on the user's desktop.    -   A browser on the user's desktop.    -   The web site at which the user is performing the transaction.

As described in our prior work, the user will first go through a set upand personalization phase which is a one-time process, and will thenstart up or activate the pop up using a technique such as out of bandauthentication. At this point the security server will have an activecommunication channel open to the user which it identifies by some useridentifier, for instance the phone number used for out for bandauthentication. Further, the web site at which the user is transactingand the security server would have previously agreed on a shared secret.

The user using the browser selects a transaction, e.g. “Pay Alice $100”,which is transmitted by the browser to the web server. The web servertransmits this transaction to the security server via the user'sbrowser. The security server computes a one time transaction signatureas a function of (i) the transaction details and (ii) the secret itshares with that particular web site. The security server then transmitsthis one time transaction signature to the user's pop-up window. Theuser cuts and pastes or otherwise copies this one time transactionsignature into the web browser and the signature is transmitted back tothe web site. The web site independently computes the transactionsignature using the (i) the transaction details and (ii) the secret itshares with the security server, and compares it with the one receivedfrom the user. If the two signature's match then the web server can beassured that the security server saw the same transaction it sent (i.e.not a transaction manipulated en route to the security server), andsince the security server is showing the user the transaction in anindependent channel, user confirmation of the transaction is obtained.

In a second preferred embodiment we extend both our prior work regardingauthentication, such as that described above in our first preferredembodiment, to the case where the pop-up is implemented in one of avariety of different form factors. One variety contemplates the pop-upwindow being on an application on a mobile device, another contemplatesthe window using a dedicated part of the display area of a personalmobile network device, such as a smart phone, and the last contemplatesthe pop-up window being embodied in dedicated hardware similar to thatof a smartcard, which has communication capabilities. In all cases allfunctionality will work in exactly the same fashion, except that theuser can no longer cut and paste the one time passwords used forauthentication and would instead have to type them into the web browseroperating on a different network device. These form factors provideadditional layers of security simply by being independent of the user'sdesktop computer running the browser.

In either the first or second preferred embodiment as a user performsmultiple logins and transactions the pop-up or its substitute has theability to store a history or log of these events. Such data can then befed to risk management engines which today only have access to patternsof user activity which they observe from one or more web sites.

In summary, as a first extension to our prior work, one innovationallows us to significantly strengthen the binding between the user, thesecurity server acting as an Identity Provider and the website which isthe Relying Party in the case of transactions made over a network, suchas the purchase of a product by a user at the website. Here, like in ourprior work, we assume that the security server and the web site have apriori agreed on a shared secret (the system is easily extended to usepublic key cryptography). Additionally, as shown in FIG. 2, we alsoassume that the user has used some method, for instance out-of-bandauthentication, to authenticate to the security server. When the userwishes to enter into a transaction at a website, such as the purchase ofa product offered at the website or the transfer of funds from a bankaccount, the web site communicates transaction details (such as the typeand amount of the transaction), which are presented both on a web pagedisplayed to the user via the user's browser and on a pop-up window.Before proceeding with the transaction, the website requiresauthentication and confirmation of the transaction, or what is commonlyreferred to as a signature of the user on the transaction. Therefore,the web page additionally displays a blank for entry of the user'ssignature. Furthermore, the website also communicates a request for theuser's signature on the identified transaction to the security server.The security server calculates a one-time-password as a function of (i)the secret it shares with the web site and (ii) the applicabletransaction details displayed in the pop-up window, and displays theone-time-password to the user in the pop-up window. The user enters(perhaps by cutting and pasting) this one-time-password onto the webpage, which serves as the user's signature on the transaction, which isthereby transmitted to the web site. The website confirms theauthenticity of the signature by re-computing the one-time-password fromthe secret it shares with the security server and the transactiondetails. Here again, this system has all the security properties ofone-time-passwords, yet has the tremendous advantage that it does notrequire a shared secret with each user, and it is only the securityserver and the web sites that need shared secrets for the purpose ofgenerating one-time-passwords used as signatures on transactions. Theactual one-time-password can, if desired, also be constructed based on atime stamp or a counter based OTP algorithm (in the way we use thesealgorithms the time or counter value needs to be communicated by thesecurity server to the web site; or potentially computeddeterministically using some agreed upon formula).

A further extension provides an application which allows thepop-up-window itself to reside on the user's smart phone, smart card orother small personal intelligent mobile network device, rather than onthe network device, e.g. a desktop computer, being used to access theapplicable website via its browser. For example, this is easilyaccomplished on a smart phone because the phone is already personalizedand, in accordance with the techniques described above, does not need tostore a special secret or execute one-time-password software. Rather,only the website and the security server share the necessary secret andonly the security server generates the one-time-passwords required foruser authentication and user signature.

Finally, a further innovation allows us to provide augmented riskintelligence analysis. In this regard, conventional risk analysis relieson data from websites. However, because of the flow of information, alog of data, such as one of the type shown in FIG. 3, capturing theuser's activities while the pop-up window was active can be easilymaintained. The log could, for example, be maintained by the securityserver website, and the user can access this log. If desired the user orthe security server can compute the user's risk profile. Additionally,or alternatively, the logged data can be forwarded to a third party riskengine, where it can be married with data received from websites visitedby the user so that the risk engine can provide the user with anaugmented risk intelligence analysis.

In a further preferred embodiment, we extend both our prior workregarding authentication, to allow for direct communications ofauthentication requests and transaction information between the websiteand the security server.

As described in our prior work and with reference to FIGS. 4 and 5, theuser will first go through a set up and personalization phase which is aone-time process, and will then start up or activate the pop up using atechnique such as out of band authentication. At this point the securityserver will have an active communication channel or session open to theuser which it identifies by some user identifier, for instance the phonenumber used for out of band authentication. Further, the web site atwhich the user is transacting and the security server would havepreviously agreed on a shared secret.

The user using the browser selects a transaction, e.g. “Pay Alice $100”,which is transmitted by the user's browser) to the web server. The webserver transmits this transaction to the security server via a directlink that has been established between the web site and the securityserver (rather than via the user's browser). The security servercomputes a one time transaction signature as a function of (i) thetransaction details and (ii) the secret it shares with that particularweb site. The security server then transmits this one time transactionsignature to the user's pop-up window. The user cuts and pastes orotherwise copies this one time transaction signature into the webbrowser and the signature is transmitted back to the web site. The website independently computes the transaction signature using the (i) thetransaction details and (ii) the secret it shares with the securityserver, and compares it with the one received from the user. If the twosignature's match then the web server can be assured that the securityserver saw the same transaction it sent (i.e. not a transactionmanipulated en route to the security server), and since the securityserver is showing the user the transaction in an independent channel orsession, user confirmation of the transaction is obtained.

As will be recognized by those skilled in the art, the pop-up can beimplemented in one of a variety of different form factors. One varietycontemplates the pop-up window being on an application on a mobiledevice, another contemplates the window using a dedicated part of thedisplay area of a personal mobile network device, such as a smart phone,and the last contemplates the pop-up window being embodied in dedicatedhardware similar to that of a smartcard, which has communicationcapabilities. In all cases all functionality will work in exactly thesame fashion, except that the user can no longer cut and paste the onetime passwords used for authentication and would instead have to typethem into the web browser operating on a different network device. Theseform factors provide additional layers of security simply by beingindependent of the user's desktop computer running the browser.

What is claimed is:
 1. A method of authenticating a user on a network,comprising: receiving, by a security server, a request of a network siteto have the user authenticated; generating, by the security server, aone-time-password, wherein the one-time-password is generated as afunction of a secret shared by the security server and the network sitebut not known to the user, and wherein the shared secret comprises apredetermined value agreed upon by both the security server and thenetwork site to be used for all users utilizing the enterprise; andtransmitting over the network, by the security server to a remotelylocated first network device of the user, the one-time-password forentry by the user on a second network device of the user for subsequentverification by the network site to thereby authenticate the user. 2.The method of claim 1, wherein: the first network device of the user isof a type that is different than the second network device of the user.3. The method of claim 1, wherein: the first network device of the useris a mobile smart phone; and the second network device is a computer. 4.The method of claim 1, further comprising: storing, at the securityserver, a log of transactions between the user and the network site. 5.The method of claim 4, further comprising: computing, by the securityserver, a risk profile of the user based on the stored transactions log.6. The method of claim 5, further comprising: transmitting, by thesecurity server to a third party, the stored transactions log for riskanalysis.
 7. The method of claim 1, wherein the one-time-password isbased on a time stamp.
 8. The method of claim 1, wherein receiving therequest comprises receiving first information, wherein the firstinformation comprises the user's phone number.
 9. The method of claim 1,wherein the user is authenticated using the one-time-password enteredinto the network site on the second network device.
 10. The method ofclaim 1, further comprising: receiving the request from a first usernetwork device to perform a transaction, wherein the one-time-passwordis received from a second user network device.
 11. A method ofauthenticating a user on a network site, comprising: transmitting, bythe network site directly to a security server, a request to have theuser authenticated; receiving, by a network page associated with thenetwork site from a network device of the user, a one-time-password forauthentication, wherein: the one-time-password is generated andtransmitted over a network, by the security server to the network deviceof the user for entry by the user onto the network page using anotheruser network device; the network device of the user is remotely locatedfrom the security server; the one-time-password is generated as afunction of a secret shared by the security server and the network sitebut not known to the user; and the secret shared by the security serverand the network site comprises a predetermined value agreed upon by boththe security server and the network site to be used for all usersutilizing the enterprise; receiving, by the network site, theone-time-password; receiving second information directly from thesecurity server; and authenticating, by the network site, the user basedon the second information.
 12. The method of claim 11, wherein theshared secret is not associated with any particular user.
 13. The methodof claim 11, wherein the network device is of a type that is differentthan the another user network device.
 14. The method of claim 13,wherein: the network device is a mobile smart phone; and the anotheruser network device is a computer.
 15. The method of claim 11, whereinthe one-time-password is based on a time stamp.
 16. A method ofauthenticating a user on a network site, comprising: transmitting, bythe network site directly to a security server, a request to have theuser authenticated using a one-time password to be generated by thesecurity server, wherein: the one-time-password is generated as afunction of a secret shared by the security server and the network sitebut not known to the user; and the secret shared by the security serverand the network site comprises a predetermined value agreed upon by boththe security server and the network site to be used for all usersutilizing the enterprise; receiving, by a network page associated withthe network site from a network device of the user, theone-time-password generated by the security server, wherein theone-time-password is transmitted over a network, by the security serverto the network device of the user for entry by the user onto the networkpage using another user network device, wherein the network device ofthe user is remotely located from the security server; andauthenticating, by the network site, the user based on theone-time-password.
 17. The method of claim 16, further comprising:receiving the request from a first user network device to perform atransaction, wherein the one-time-password is received from a seconduser network device.
 18. The method of claim 17, wherein the first usernetwork device is of a type that is different than the second usernetwork device.
 19. The method of claim 16, wherein theone-time-password is based on a time stamp.
 20. The method of claim 16,wherein transmitting the request comprises transmitting firstinformation, wherein the one-time-password is generated based in part onthe first information.